Zero trust refers to a cybersecurity strategy or set of principles based in the understanding that just because an account or device is associated with the organization or has seemed trustworthy in the past doesn’t mean they should be assumed to be trustworthy in the future. The mindset assumes an attacker could be in the network already and emphasizes limiting a bad actor’s ability to access data and other resources.
Organizations adopting zero-trust principles require users — and devices — to continually prove they are who they claim to be, whenever they want to access data or services. This stands in contrast to older thinking in which users may have only had to authenticate themselves once to enter the organization’s network, such as by logging in, and then were granted access to a wide swathe of internal resources.
These approaches often involve applying more robust identity verification methods — think multifactor authentication (MFA) rather than just a username and password — and encrypting all communications, even those within the organization’s network.
Core zero-trust principles also involve restricting users’ access privileges to the minimum amount they need to do their jobs, something known as the “principle of least privilege” (POLP).
WHY NOW?
The more traditional “castle and moat” approach saw organizations focus on securing the perimeters of their networks to block out malicious actors. Those who provided the right credentials were assumed to be trustworthy and allowed through firewalls to access many of the network’s systems and data, without necessarily having to re-authorize themselves at each access attempt.
But many of today’s organizations rely on workforces that are no longer on premise and on assets stored in the cloud — meaning there’s no longer a castle to wrap the moat around. Remote employees connect to the network from a variety of locations, through personal Internet networks and, sometimes, on personal devices outside of an organization’s control. Cloud-based data also remains outside of the defense of the organization’s perimeter firewalls.
Malicious actors can attempt to pass themselves off as employees using new devices or may seize control of employees’ accounts or devices that are already familiar to the organization, then move within the network.
Organizations need to avoid locking out legitimate employees, but enabling the wrong device or allowing the wrong level of access privileges creates significant cyber risks.
To thread the needle, organizations that adopt the zero-trust approach require devices and users to verify themselves repeatedly and monitor continually. Reducing each account’s privileges to only what is essential also minimizes the damage that a bad actor or malicious insider would be able to achieve.
The federal government has thrown its support behind the idea, with Biden’s executive order asking federal agencies to transition to zero trust.
WHAT’S INVOLVED?
Organizations adopting zero-trust architecture — that is, a cybersecurity plan informed by zero-trust thinking — must address several core principles.
The National Institute of Standards and Technology (NIST) outlines seven tenets in a 2021 draft white paper and 2020 publication:
